I’ve just seen Microsoft’s latest security update for .NET 8 (CVE-2025-55315 / CWE-444) — an HTTP request smuggling vulnerability in Kestrel and ASP.NET Core, fixed in .NET 8.0.21.
I’m running Umbraco 13.11.0 on .NET 8 (Azure App Service + IIS). Does anyone know if Umbraco has any extra exposure here e.g. via its middleware, backoffice routes, or preview URLs?
We’re waiting on Azure App services to update to .Net 8.0.21 but in the interim period whilst we wait on Microsoft to deploy the patched version I’m wondering if there’s anything we need to be concerned about, specifically how requests are handled by Umbraco out of the box.
Thanks!